var express = require('express');
var router = express.Router();

var comments = {};

// 编码函数
function html_encode (str) {
  var s = ''
  if(str.length === 0) return ""
  s=str.replace(/&/g, "&gt;");
  s=s.replace(/</g, "&lt;");
  s=s.replace(/>/g, "&gt;");
  s=s.replace(/\s/g, "&nbsp;");
  s=s.replace(/\'/g, "&#39;");
  s=s.replace(/\"/g, "&quot;");
  s=s.replace(/\n/g, "<br>");
  return s
}

/* GET home page. */
router.get('/', function(req, res, next) {
  // 反射型攻击
  // res.set('X-XSS-Protection', 0);
  res.render('index', { title: 'Express', xss: req.query.xss});
  // 正常情况下
  // res.render('index', { title: 'Express'});
});

router.get('/comment', function (req, res, next) {
  // console.log('00000000000000000000', req.query.comment);
  comments.v = html_encode(req.query.comment)
  // console.log('111111111111111111', comments);
  
})

router.get('/getComment', function (req, res, next) {
  // console.log('222222222222222', comments)
  res.json({
    comment: comments.v
  })
})

module.exports = router;
